KelpDAO recovers 30,000 ETH with one click, Arbitrum takes action, causing an industry shake-up

Writing by: jsai@Golden Finance

On April 18, 2026, the DeFi sector experienced its largest attack to date in 2026.

KelpDAO’s rsETH bridge (based on LayerZero cross-chain protocol) was exploited by hackers, forging approximately 116,500 rsETH (worth about $292 million). The hackers forged cross-chain messages, minted unbacked rsETH, then quickly exchanged it for ETH, dispersing funds on the Ethereum mainnet and Arbitrum One. About 30,766 ETH (roughly $71 million) remained on the Arbitrum One chain.

On April 21, the Arbitrum Security Council took rare emergency action, successfully freezing and transferring this batch of funds. Compared to the 2022 incident where hackers stole 20 million OP tokens and Optimism explicitly refused to use emergency upgrades to pause or freeze token flows, this is the first known case in Stage 1 L2s (Arbitrum One, Optimism, Base, Starknet, etc.) where a Security Council was activated to freeze funds.

This incident demonstrates some L2s’ response capabilities in crises but also quickly sparked intense debate in the crypto community about the nature of “decentralization.”

1. Arbitrum’s one-click transfer of hacker funds

In a statement released on April 21, Arbitrum official said that, after law enforcement provided information about the attacker’s identity, the Security Council conducted “extensive technical due diligence and review,” and executed a “technical plan” to transfer 30,766 ETH from the hacker’s address to an “intermediary frozen wallet.”

Freeze transaction tx

This wallet can only be unlocked through further action by Arbitrum governance and will not affect any other chain state, users, or applications.

The transfer was completed at 11:26 PM Eastern Time on April 20, and the hacker’s original address can no longer access the funds. This was a “surgical” intervention, not a chain-wide pause or hard fork.

The Arbitrum Security Council has taken emergency action to freeze 30,766 ETH held in Arbitrum One addresses related to the KelpDAO vulnerability. With law enforcement assistance, the council identified the attacker’s identity and ensured that no impact would be made on any Arbitrum users or applications while maintaining the security and integrity of the Arbitrum community.

After extensive technical investigation and review, the Security Council determined and implemented a technical plan to transfer the funds to a safe location without affecting any other chain state or Arbitrum users.

As of 11:26 PM Eastern Time on April 20, the funds have been successfully transferred to an intermediary frozen wallet. The original addresses holding these funds can no longer access them, and only after coordination with Arbitrum governance and relevant parties can further actions be taken to transfer these funds.

2. Detailed explanation of the freeze mechanism: the Security Council’s emergency authority

Arbitrum, as an optimistic rollup on Ethereum (currently rated Stage 1 by L2Beat), has a built-in design balancing decentralization and security.

Its core is a 12-member Security Council (elected by Arbitrum DAO), which has emergency upgrade authority. The council can authorize time-sensitive system contract upgrades or emergency measures via 9/12 multi-signature, aiming to protect the DAO, users, and the entire ecosystem. This is not a “backdoor,” but an open governance design to respond to hackers, vulnerabilities, or major risks.

This action was not just “banning an address,” but leveraging the Security Council’s upgrade capability to execute a precise transfer targeting the hacker-held ETH. Arbitrum’s rollup mechanism allows governance to control specific contract states or execute special transactions in emergencies without altering the entire chain consensus or affecting other addresses.

Based on on-chain analysis and technical reports, the core of this operation was a temporary upgrade to the Inbox contract (the entry point for all Arbitrum→Ethereum messages on L1):

1. The Security Council authorized an emergency upgrade via 9/12 multi-signature: initiating a transaction on Ethereum mainnet to upgrade the Inbox contract (or other related system contracts). After the upgrade, a new function was temporarily added, allowing “any wallet address to send cross-chain messages”—without that address’s private key.

2. Forged transfer message from the hacker address: using the new function, constructing an L1→L2 message, impersonating the hacker address as sender, with content “transfer all ETH from this address to the intermediary frozen wallet.” This step is essentially “signing on behalf of the hacker” a L2 transfer, triggered by the Security Council on L1.

3. Execution of transfer on L2: the message is executed via Arbitrum’s rollup mechanism on L2, transferring 30,766 ETH from the hacker’s address directly to the intermediary frozen wallet. Control of this wallet is only accessible to Arbitrum governance (DAO votes needed to unlock).

4. Atomic completion + rollback upgrade: the entire process (upgrade → forged message → transfer execution → removal of the new function/rollback) is completed atomically within a single Ethereum mainnet transaction. The upgrade is temporary, not permanently altering contract logic, nor affecting other addresses’ balances, contract states, or user interactions.

In simple terms: the hacker’s ETH remains on Arbitrum One, but the Security Council, by forging a transfer message from the hacker’s address, “moved” the stolen ETH from the hacker’s address to a frozen address controlled only by the DAO.

This reflects a practical compromise among speed, security, and decentralization in L2.

3. Community discussion and controversy

This action quickly sparked polarized reactions on X (Twitter) and crypto forums.

Many users praised it as a “correct and brave decision”: partial recovery of funds (about 24% frozen), protecting KelpDAO, Aave, and other protocol users, avoiding larger systemic risks. Some joked “decentralized until it’s needed,” and pointed out Bitcoin is the only “truly unfreezable” chain, while L2s are not purely decentralized by design.

Some even argued that if a chain can freeze stolen funds but chooses not to, that’s dereliction of duty. The Security Council exists precisely for such situations—acting quickly and transparently is more efficient than some centralized stablecoin issuers (like Circle). Arbitrum community members and representatives (like Griff Green) even celebrated this as “a counterattack against hackers (suspected to have some national background).”

At the same time, many voices expressed opposition and concern, which is the controversy surrounding this move by the Arbitrum Security Council, such as:

Disillusionment with decentralization: many pointed out that “this exposes Arbitrum essentially as a multi-signature wallet,” and that the Security Council can unilaterally freeze any address’s funds, setting a dangerous precedent. “Today hackers, tomorrow ordinary users?” “L2 decentralization is just marketing.”

Slippery slope fears: critics argue that although “technically correct,” this shows L2 still relies on trust in a few people (the 12-member council). Future government pressure or governance capture could lead to abuse of such powers. Some announced they would “no longer use Arbitrum, revert to L1.”

The open secret of Stage 1 rollups: supporters remind that this is a Stage 1 feature already marked by L2Beat (most L2s like Base, Optimism are similar), not a bug. But opponents say that user misconceptions about “L2=decentralized” have been torn apart by this incident, revealing the “last shroud” of the myth.

Overall, the community consensus is: in the short term, this was a necessary and effective crisis response, but long-term, it highlights that L2 governance still needs to evolve toward Stage 2 (full decentralization without upgrade keys).

This incident also re-emphasizes the eternal debate in DeFi: “freezing stolen funds vs. absolute censorship resistance.”

Conclusion: The practical choice for L2 security

The Arbitrum Security Council’s action successfully recovered some losses and demonstrated L2’s quick response capability in the face of large-scale hacks.

But it also reminds the industry: most current L2s are still “decentralized under governance,” not “code as law” like L1. As DeFi scales, balancing emergency intervention with minimizing long-term trust will be a key challenge for Arbitrum and the entire L2 ecosystem.

For ordinary users, this may be a signal: when choosing a chain, look beyond TVL and fees—consider governance transparency and emergency mechanisms.

Decentralization in the crypto world has never been absolute; it is an ongoing balancing act.